问题
I set up a new Blazor.NET project in Visual Studio 2019 (preview 5) and add Azure AD B2C (AADB2C) and deploy it to an Azure Docker AppService.
If I don't enable OAuth2 implicit flow in AADB2C, then I get the following error using an AADB2C V2 Sign-In-Flow:
error=unauthorized_client&error_description=AADB2C90057%3A+The+provided+application+is+not+configured+to+allow+the+%27OAuth%27+Implicit+flow.
However, the AADB2C site advises against using this flow unless required for serverless SPA. It recommends MSAL. However, I do have a single ASP.NET-Core 3.1 server. So what can I use instead of the implicit flow? (pointers?) or why is the implicit flow still required/best?
回答1:
Blazor is a single-page application so you can use implicit flow, it is recommended that you enable implicit flow.
Compared with other authorizations, implicit authorization has more risks, mainly because it enables applications that execute active code and is provided to the browser by remote resources. If you are planning a SPA architecture, do not set up back-end components or try to call Web APIs through JavaScript, but use implicit streams to obtain tokens.
回答2:
I feel like I must be missing something, but it seems like as long as this is hardcoded in AzureAdB2COpenIDConnectEventHandlers.cs:
context.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
that implicit is the only OIDC flow possible with Authentication.AzureADB2C.UI. In theory it should be possible to override that, maybe something like this?
services.Configure<OpenIdConnectOptions>(oidcOptions =>
oidcOptions.Events.OnRedirectToIdentityProvider = CustomRedirectToIdentityProviderDelegate);
But I don't know what else would have to change. Also, I too would like to know why this is the way it is.
来源:https://stackoverflow.com/questions/61563293/why-does-blazor-net-server-visual-studio-2019-set-up-aad-b2c-to-use-oauth-impli